Support User Manuals

Cisco Systems 2955 Switch User Manual

Open as PDF

of 674

9-24

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

OL-10101-02

Chapter 9 Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

You can enable optional guest VLAN behavior by using the dot1x guest-vlan supplicant global

configuration command. When enabled, the switch does not maintain the EAPOL packet history and

allows clients that fail authentication access to the guest VLAN, regardless of whether EAPOL packets

had been detected on the interface.

Beginning in privileged EXEC mode, follow these steps to enable the optional guest VLAN behavior

and to configure a guest VLAN. This procedure is optional.

To disable the optional guest VLAN behavior, use the no dot1x guest-vlan supplicant global

configuration command. To remove the guest VLAN, use the no dot1x guest-vlan interface

configuration command. If the port is currently authorized in the guest VLAN, the port returns to the

unauthorized state.

This example shows how enable the optional guest VLAN behavior and to specify VLAN 5 as an

IEEE

802.1x guest VLAN:

Switch(config)# dot1x guest-vlan supplicant

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# dot1x guest-vlan 5

Configuring a Restricted VLAN

When you configure a restricted VLAN on a switch, clients that are IEEE 802.1x-compliant are moved

into the restricted VLAN when the authentication server does not receive a valid username and

password. The switch supports restricted VLANs only in single-host mode.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

dot1x guest-vlan supplicant Enable the optional guest VLAN behavior globally on the switch.

Step 3

interface interface-id Specify the port to be configured, and enter interface configuration mode.

For the supported port types, see the

“IEEE 802.1x Authentication

Configuration Guidelines” section on page 9-13.

Step 4

switchport mode access Set the port to access mode.

Step 5

dot1x port-control auto Enable IEEE 802.1x authentication on the port.

Step 6

dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1

to 4094.

You can configure any active VLAN except an RSPAN VLAN or a voice

VLAN as an IEEE 802.1x guest VLAN.

Step 7

end Return to privileged EXEC mode.

Step 8

show dot1x interface interface-id Verify your entries.

Step 9

copy running-config startup-config (Optional) Save your entries in the configuration file.

previous next